Analysis Report PO_Invoices_pdf.exe

Overview

General Information

Sample Name: PO_Invoices_pdf.exe
Analysis ID: 347154
MD5: 59d7d8d5dd3e0055e7c0dcc75897f569
SHA1: b249b28d088d54e971e2d9d8b2688440f8e6d513
SHA256: ef715cd322f0a805a68840b215c062f2e254977170a11c6800d836eac781fabb
Tags: exeHawkEyeYahoo

Most interesting Screenshot:

Detection

HawkEye AgentTesla MailPassView Matiex
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected HawkEye Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Sigma detected: Capture Wi-Fi password
Yara detected AgentTesla
Yara detected AntiVM_3
Yara detected HawkEye Keylogger
Yara detected MailPassView
Yara detected Matiex Keylogger
.NET source code contains potential unpacker
.NET source code contains very large array initializations
.NET source code references suspicious native API functions
Allocates memory in foreign processes
Bypasses PowerShell execution policy
Changes the view of files in windows explorer (hidden files and folders)
Contains functionality to log keystrokes (.Net Source)
Drops PE files to the startup folder
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Initial sample is a PE file and has a suspicious name
Injects a PE file into a foreign processes
Installs a global keyboard hook
Machine Learning detection for dropped file
Machine Learning detection for sample
May check the online IP address of the machine
Powershell drops PE file
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Sample uses process hollowing technique
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal WLAN passwords
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Instant Messenger accounts or passwords
Tries to steal Mail credentials (via file access)
Uses netsh to modify the Windows network and firewall settings
Writes to foreign memory regions
Yara detected WebBrowserPassView password recovery tool
Adds / modifies Windows certificates
Antivirus or Machine Learning detection for unpacked file
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Checks if the current process is being debugged
Contains capabilities to detect virtual machines
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Creates a window with clipboard capturing capabilities
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
One or more processes crash
PE file contains strange resources
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Stores files to the Windows start menu directory
Tries to load missing DLLs
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara detected Credential Stealer
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Avira: detection malicious, Label: TR/AD.MExecute.lzrac
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Avira: detection malicious, Label: SPR/Tool.MailPassView.473
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Avira: detection malicious, Label: TR/Spy.Gen8
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Avira: detection malicious, Label: TR/Redcap.jajcu
Found malware configuration
Source: RegAsm.exe.4888.5.memstr Malware Configuration Extractor: HawkEye {"Modules": ["WebBrowserPassView", "mailpv", "Mail PassView"], "Version": ""}
Source: hawkgoods.exe.3724.6.memstr Malware Configuration Extractor: Agenttesla {"Username: ": "", "URL: ": "", "To: ": "", "ByHost: ": "smtp.privateemail.com:587", "Password: ": "", "From: ": ""}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Metadefender: Detection: 43% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe ReversingLabs: Detection: 89%
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe ReversingLabs: Detection: 95%
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Metadefender: Detection: 40% Perma Link
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Metadefender: Detection: 37% Perma Link
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe ReversingLabs: Detection: 82%
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe ReversingLabs: Detection: 19%
Multi AV Scanner detection for submitted file
Source: PO_Invoices_pdf.exe ReversingLabs: Detection: 17%
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Joe Sandbox ML: detected
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: PO_Invoices_pdf.exe Joe Sandbox ML: detected
Antivirus or Machine Learning detection for unpacked file
Source: 30.0.Matiexgoods.exe.bd0000.0.unpack Avira: Label: TR/Redcap.jajcu
Source: 8.2.Matiexgoods.exe.f70000.0.unpack Avira: Label: TR/Redcap.jajcu
Source: 27.2.hawkgoods.exe.a40000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 27.2.hawkgoods.exe.a40000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 6.0.hawkgoods.exe.2f0000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 6.0.hawkgoods.exe.2f0000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 30.2.Matiexgoods.exe.bd0000.0.unpack Avira: Label: TR/Redcap.jajcu
Source: 26.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 26.2.RegAsm.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 26.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Redcap.jajcu
Source: 26.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 26.2.RegAsm.exe.4031bf.2.unpack Avira: Label: TR/Inject.vcoldi
Source: 8.0.Matiexgoods.exe.f70000.0.unpack Avira: Label: TR/Redcap.jajcu
Source: 5.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 5.2.RegAsm.exe.400000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 5.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Redcap.jajcu
Source: 5.2.RegAsm.exe.400000.0.unpack Avira: Label: TR/Spy.Gen8
Source: 6.2.hawkgoods.exe.2f0000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 6.2.hawkgoods.exe.2f0000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack Avira: Label: TR/Inject.vcoldi
Source: 27.0.hawkgoods.exe.a40000.0.unpack Avira: Label: TR/AD.MExecute.lzrac
Source: 27.0.hawkgoods.exe.a40000.0.unpack Avira: Label: SPR/Tool.MailPassView.473
Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack Avira: Label: TR/Inject.vcoldi
Source: 5.2.RegAsm.exe.4031bf.1.unpack Avira: Label: TR/Inject.vcoldi
Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack Avira: Label: TR/Inject.vcoldi
Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack Avira: Label: TR/Inject.vcoldi

Compliance:

barindex
Uses 32bit PE files
Source: PO_Invoices_pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49733 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49785 version: TLS 1.0
Uses new MSVCR Dlls
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Contains modern PE file flags such as dynamic base (ASLR) or NX
Source: PO_Invoices_pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Binary contains paths to debug symbols
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbHs source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbTD~1\AppData\Local\Temp\hawkgoods.exeAAGZ source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbm source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
Source: Binary string: RunPE.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277173827.00000000030A1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
Source: Binary string: C:\Windows\mscorlib.pdbl source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
Source: Binary string: symbols\dll\mscorlib.pdb7w source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
Source: Binary string: oC:\Windows\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp
Source: Binary string: mscorrc.pdb source: hawkgoods.exe, 00000006.00000002.391117104.0000000004E20000.00000002.00000001.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp

Spreading:

barindex
May infect USB drives
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp Binary or memory string: autorun.inf
Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp Binary or memory string: [autorun]
Source: hawkgoods.exe Binary or memory string: autorun.inf
Source: hawkgoods.exe Binary or memory string: [autorun]

Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B398B1
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then call 04B31B20h 6_2_04B392A6
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B392A6
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B314C0
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B35CCE
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then mov esp, ebp 6_2_04B34830
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B3A03E
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B3603C
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then jmp 04B31A73h 6_2_04B319B0
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then call 04B31B20h 6_2_04B391BC
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B391BC
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then jmp 04B31A73h 6_2_04B319A0
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B3A79F
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B317F8
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B3A937
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B30728
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B36711
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B35B70
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B3956B
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 4x nop then lea esp, dword ptr [ebp-0Ch] 6_2_04B39F54

Networking:

barindex
May check the online IP address of the machine
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: whatismyipaddress.com
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Source: unknown DNS query: name: checkip.dyndns.org
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.7:49741 -> 199.193.7.228:587
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 131.186.113.70 131.186.113.70
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 54328bd36c14bd82ddaa0c04b25ed9ad
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.7:49741 -> 199.193.7.228:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Uses insecure TLS / SSL version for HTTPS connection
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49733 version: TLS 1.0
Source: unknown HTTPS traffic detected: 104.21.19.200:443 -> 192.168.2.7:49785 version: TLS 1.0
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00C6A14A recv, 6_2_00C6A14A
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1Host: whatismyipaddress.comConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.facebook.com (Facebook)
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp String found in binary or memory: @nss3.dllSOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\seamonkey.exe%programfiles%\Sea MonkeySOFTWARE\Mozillamozilla%s\binPathToExe%programfiles%\Mozilla FirefoxSELECT id, hostname, httpRealm, formSubmitURL, usernameField, passwordField, encryptedUsername, encryptedPassword FROM moz_logins.---signons.txtsignons2.txtsignons3.txtsignons.sqlitenetmsg.dllUnknown Error\Error %d: %seditkernel32.dll... open %2.2X %s (%s)Microsoft_WinInetMicrosoft_WinInet_u7@dllhost.exetaskhost.exetaskhostex.exebhvContainersContainerIdNameHistoryContainer_%I64dAccessCountCreationTimeExpiryTimeAccessedTimeModifiedTimeUrlEntryIDvisited:Microsoft\Windows\WebCache\WebCacheV01.datMicrosoft\Windows\WebCache\WebCacheV24.dat0123456789ABCDEFURL index.datSoftware\Microsoft\Internet Explorer\IntelliForms\Storage2https://www.google.com/accounts/serviceloginhttp://www.facebook.com/https://login.yahoo.com/config/login equals www.yahoo.com (Yahoo)
Source: hawkgoods.exe String found in binary or memory: http://www.facebook.com/ equals www.facebook.com (Facebook)
Source: vbc.exe, 00000012.00000003.306146332.000000000238B000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
Source: vbc.exe, 00000012.00000003.306146332.000000000238B000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://login.live.com/login.srf?wa=wsignin1.0&rpsnv=11&ct=1601453683&rver=6.0.5286.0&wp=MBI_SSL&wreply=https:%2F%2fwww.bing.com%2Fsecure%2FPassport.aspx%3Fpopup%3D1%26ssl%3D1&lc=2055&id=264960&checkda=1https://login.live.com/login.srfhttps://www.google.com/chrome/https://www.microsoft.com/en-us/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edge/https://www.microsoft.com/en-us/welcomeie11/https://www.microsoft.com/en-us/edge?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/en-us/edgehttps://www.microsoft.com/edge/?form=MA13DL&OCID=MA13DLhttps://www.microsoft.com/edge/https://go.microsoft.com/fwlink/?LinkId=838604https://go.microsoft.com/fwlink/https://go.microsoft.com/fwlink/p/?LinkId=255141https://go.microsoft.com/fwlink/p/https://go.microsoft.com/fwlink/?LinkId=517287https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=2542116;cat=chom0;ord=7162084889081;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttps://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=clien612;cat=chromx;ord=1;num=5657692158540;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fthank-you.html%3Fstatcb%3D0%26installdataindex%3Dempty%26defaultbrowser%3D0https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2F?https://2542116.fls.doubleclick.net/activityi;src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fabout:blankhttps://www.bing.com/orgid/idtoken/nosigninhttps://www.bing.com/search?q=chrome+download&src=IE-SearchBox&FORM=IESR4A&pc=EUPP_https://www.bing.com/searchhttps://adservice.google.co.uk/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=2wg9g1;~oref=https%3A%2F%2Fwww.google.com%2Fchrome%2Fhttp://www.msn.com/?ocid=iehphttp://www.msn.com/http://www.msn.com/de-ch/?ocid=iehphttp://www.msn.com/de-ch/https://login.microsoftonline.com/common/oauth2/authorize?client_id=9ea1ad79-fdb6-4f9a-8bc3-2b70f96e34c7&response_type=id_token&nonce=351a037b-0597-47d9-b2c1-bfb1c870bba0&redirect_uri=https%3a%2f%2fwww.bing.com%2forgid%2fidtoken%2fnosignin&scope=openid&response_mode=form_post&msafed=0&prompt=none&state=%7b%22ig%22%3a%223B109BCA2CB841A781265B1D219195C1%22%7dhttps://login.microsoftonline.com/common/oauth2/authorizehttps://contextual.media.net/checksync.php?&vsSync=1&cs=1&hb=1&cv=37&ndec=1&cid=8HBI57XIG&prvid=
Source: unknown DNS traffic detected: queries for: 69.170.12.0.in-addr.arpa
Source: origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp String found in binary or memory: http://127.0.0.1:HTTP/1.1
Source: origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp String found in binary or memory: http://DynDns.comDynDNS
Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/
Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: http://checkip.dyndns.org/HBFl
Source: Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: powershell.exe, 00000003.00000002.378127949.000000000088E000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/COMODOCodeSigningCA2.crl0r
Source: powershell.exe, 00000003.00000002.377998642.00000000007E6000.00000004.00000020.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: Matiexgoods.exe, 00000008.00000002.694705884.0000000001823000.00000004.00000020.sdmp String found in binary or memory: http://crl3.digicert.com/Omniroot2025.crl0m
Source: Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmp String found in binary or memory: http://crt.sectigo.com/SectigoRSADomainValidationSecureServerCA.crt0#
Source: origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp String found in binary or memory: http://csARxe.com
Source: PO_Invoices_pdf.exe, 00000000.00000003.247874552.000000000654D000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://fontfabrik.com
Source: PO_Invoices_pdf.exe, 00000000.00000003.247874552.000000000654D000.00000004.00000001.sdmp String found in binary or memory: http://fontfabrik.com(
Source: Matiexgoods.exe, 00000008.00000003.443342117.0000000009311000.00000004.00000001.sdmp String found in binary or memory: http://ns.ado/1
Source: Matiexgoods.exe, 00000008.00000003.443342117.0000000009311000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.c/g
Source: Matiexgoods.exe, 00000008.00000003.443342117.0000000009311000.00000004.00000001.sdmp String found in binary or memory: http://ns.adobe.cobj
Source: powershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmp String found in binary or memory: http://nuget.org/NuGet.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp, Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.comodoca.com0
Source: Matiexgoods.exe, 00000008.00000002.694705884.0000000001823000.00000004.00000020.sdmp String found in binary or memory: http://ocsp.digicert.com0:
Source: Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmp String found in binary or memory: http://ocsp.sectigo.com0
Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.png
Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmp String found in binary or memory: http://pesterbdd.com/images/Pester.pngL
Source: powershell.exe, 00000003.00000002.381287871.0000000004841000.00000004.00000001.sdmp, Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: PO_Invoices_pdf.exe, PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.370812465.0000000008DB1000.00000004.00000001.sdmp String found in binary or memory: http://tempuri.org/DataSet1.xsd
Source: hawkgoods.exe, 00000006.00000002.387343775.0000000002A21000.00000004.00000001.sdmp String found in binary or memory: http://whatismyipaddress.com
Source: hawkgoods.exe String found in binary or memory: http://whatismyipaddress.com/
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp String found in binary or memory: http://whatismyipaddress.com/-
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.html
Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.htmlL
Source: PO_Invoices_pdf.exe, 00000000.00000003.250459528.0000000006513000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.com
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.carterandcone.coml
Source: PO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.como.
Source: PO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmp String found in binary or memory: http://www.carterandcone.como.R
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com
Source: hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/?
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/cabarga.htmlN
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers/frere-jones.html
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers8
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designers?
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.fontbureau.com/designersG
Source: PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comF
Source: PO_Invoices_pdf.exe, 00000000.00000003.272424177.0000000006510000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comY
Source: PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.coma3
Source: PO_Invoices_pdf.exe, 00000000.00000003.272424177.0000000006510000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comceto
Source: PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comd
Source: PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdV
Source: PO_Invoices_pdf.exe, 00000000.00000003.254406255.0000000006512000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comdsed
Source: PO_Invoices_pdf.exe, 00000000.00000003.272424177.0000000006510000.00000004.00000001.sdmp String found in binary or memory: http://www.fontbureau.comm
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.fonts.com
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/bThe
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cn/cThe
Source: PO_Invoices_pdf.exe, 00000000.00000003.249338917.0000000006516000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnR
Source: PO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cnT
Source: PO_Invoices_pdf.exe, 00000000.00000003.249338917.0000000006516000.00000004.00000001.sdmp String found in binary or memory: http://www.founder.com.cn/cniac
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/DPlease
Source: PO_Invoices_pdf.exe, 00000000.00000003.256526982.0000000006539000.00000004.00000001.sdmp, PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.galapagosdesign.com/staff/dennis.htm
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr
Source: PO_Invoices_pdf.exe, 00000000.00000003.249068129.0000000006515000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.kr9
Source: PO_Invoices_pdf.exe, 00000000.00000003.249068129.0000000006515000.00000004.00000001.sdmp String found in binary or memory: http://www.goodfont.co.krF
Source: PO_Invoices_pdf.exe, 00000000.00000003.250877364.0000000006512000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/
Source: PO_Invoices_pdf.exe, 00000000.00000003.250877364.0000000006512000.00000004.00000001.sdmp String found in binary or memory: http://www.jiyu-kobo.co.jp/l
Source: hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp String found in binary or memory: http://www.nirsoft.net/
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.sajatypeworks.com
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.sakkal.com
Source: PO_Invoices_pdf.exe, 00000000.00000003.251741662.000000000654D000.00000004.00000001.sdmp String found in binary or memory: http://www.sakkal.com-mq
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.sandoll.co.kr
Source: PO_Invoices_pdf.exe, 00000000.00000003.249068129.0000000006515000.00000004.00000001.sdmp String found in binary or memory: http://www.sandoll.co.krn-u
Source: hawkgoods.exe, 00000006.00000002.387343775.0000000002A21000.00000004.00000001.sdmp String found in binary or memory: http://www.site.com/logs.php
Source: hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.tiro.com
Source: PO_Invoices_pdf.exe, 00000000.00000003.249778536.0000000006512000.00000004.00000001.sdmp String found in binary or memory: http://www.tiro.com-cz
Source: PO_Invoices_pdf.exe, 00000000.00000003.248176476.000000000654D000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.net
Source: PO_Invoices_pdf.exe, 00000000.00000003.247998925.000000000654D000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.net-d
Source: PO_Invoices_pdf.exe, 00000000.00000003.248176476.000000000654D000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.net-siu
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.typography.netD
Source: PO_Invoices_pdf.exe, 00000000.00000003.248099180.000000000654D000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netn
Source: PO_Invoices_pdf.exe, 00000000.00000003.248176476.000000000654D000.00000004.00000001.sdmp String found in binary or memory: http://www.typography.netx
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.urwpp.deDPlease
Source: PO_Invoices_pdf.exe, 00000000.00000002.300417704.0000000006600000.00000002.00000001.sdmp, hawkgoods.exe, 00000006.00000002.391685560.00000000051E0000.00000002.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cn
Source: PO_Invoices_pdf.exe, 00000000.00000003.250141662.0000000006515000.00000004.00000001.sdmp String found in binary or memory: http://www.zhongyicts.com.cnaN
Source: vbc.exe, 00000012.00000003.306146332.000000000238B000.00000004.00000001.sdmp String found in binary or memory: https://adservice.google.com/ddm/fls/i/src=2542116;type=chrom322;cat=chrom01g;ord=5723238221569;gtm=
Source: origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp String found in binary or memory: https://api.ipify.org%GETMozilla/5.0
Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=Createutf-8Win32_ComputerSystemModelManufactu
Source: powershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/
Source: powershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/Icon
Source: powershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmp String found in binary or memory: https://contoso.com/License
Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/
Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: https://freegeoip.app/xml/LoadTimeZoneCountryNameCountryCodehttps://www.geodatatool.com/en/?ip=/
Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/Pester
Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmp String found in binary or memory: https://github.com/Pester/PesterL
Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: https://i.imgur.com/GJD7Q5y.png195.239.51.11795.26.248.2989.208.29.13389.187.165.4792.118.13.1895.26
Source: hawkgoods.exe String found in binary or memory: https://login.yahoo.com/config/login
Source: powershell.exe, 00000003.00000002.386788256.00000000058A3000.00000004.00000001.sdmp String found in binary or memory: https://nuget.org/nuget.exe
Source: Matiexgoods.exe, 00000008.00000002.699162061.00000000034E1000.00000004.00000001.sdmp String found in binary or memory: https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct
Source: Matiexgoods.exe, 00000008.00000003.461245193.00000000068F6000.00000004.00000001.sdmp String found in binary or memory: https://sectigo.com/CPS0
Source: Matiexgoods.exe, 00000008.00000002.694705884.0000000001823000.00000004.00000020.sdmp String found in binary or memory: https://www.digicert.com/CPS0
Source: hawkgoods.exe String found in binary or memory: https://www.google.com/accounts/servicelogin
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.273863512.0000000003E4D000.00000004.00000001.sdmp, origigoods40.exe String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip
Source: origigoods40.exe, 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp String found in binary or memory: https://www.theonionrouter.com/dist.torproject.org/torbrowser/9.5.3/tor-win32-0.4.3.6.zip%tordir%%ha
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49785
Source: unknown Network traffic detected: HTTP traffic on port 49785 -> 443

Key, Mouse, Clipboard, Microphone and Screen Capturing:

barindex
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
Source: Yara match File source: dropped/hawkgoods.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
Source: Yara match File source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
Contains functionality to log keystrokes (.Net Source)
Source: hawkgoods.exe.5.dr, Form1.cs .Net Code: HookKeyboard
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs .Net Code: HookKeyboard
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs .Net Code: HookKeyboard
Installs a global keyboard hook
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Windows user hook set: 0 keyboard low level C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Windows user hook set: 0 keyboard low level C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe
Creates a DirectInput object (often for capturing keystrokes)
Source: PO_Invoices_pdf.exe, 00000000.00000002.275896420.0000000001448000.00000004.00000020.sdmp Binary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>
Creates a window with clipboard capturing capabilities
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Window created: window name: CLIPBRDWNDCLASS Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Window created: window name: CLIPBRDWNDCLASS
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Window created: window name: CLIPBRDWNDCLASS

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: dropped/hawkgoods.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: dropped/hawkgoods.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE Matched rule: Detects HawkEye RAT Author: Kevin Breen <kevin@techanarchy.net>
Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE Matched rule: detect HawkEye in memory Author: JPCERT/CC Incident Response Group
.NET source code contains very large array initializations
Source: origigoods40.exe.5.dr, u003cPrivateImplementationDetailsu003eu007b772D8D2Cu002d540Eu002d45C7u002dB77Bu002d87944040F8A1u007d/u0033BD2C1DBu002d851Du002d4774u002dA593u002d2F90268EC16C.cs Large array initialization: .cctor: array initializer size 11965
Source: 7.0.origigoods40.exe.c30000.0.unpack, u003cPrivateImplementationDetailsu003eu007b772D8D2Cu002d540Eu002d45C7u002dB77Bu002d87944040F8A1u007d/u0033BD2C1DBu002d851Du002d4774u002dA593u002d2F90268EC16C.cs Large array initialization: .cctor: array initializer size 11965
Source: 7.2.origigoods40.exe.c30000.0.unpack, u003cPrivateImplementationDetailsu003eu007b772D8D2Cu002d540Eu002d45C7u002dB77Bu002d87944040F8A1u007d/u0033BD2C1DBu002d851Du002d4774u002dA593u002d2F90268EC16C.cs Large array initialization: .cctor: array initializer size 11965
Initial sample is a PE file and has a suspicious name
Source: initial sample Static PE information: Filename: PO_Invoices_pdf.exe
Source: initial sample Static PE information: Filename: PO_Invoices_pdf.exe
Powershell drops PE file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Jump to dropped file
Contains functionality to call native functions
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B658C6 NtUnmapViewOfSection, 6_2_04B658C6
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B6581E NtQuerySystemInformation, 6_2_04B6581E
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B6596E NtWriteVirtualMemory, 6_2_04B6596E
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B657DA NtQuerySystemInformation, 6_2_04B657DA
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B65941 NtWriteVirtualMemory, 6_2_04B65941
Detected potential crypto function
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Code function: 0_2_02F7CC7C 0_2_02F7CC7C
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Code function: 0_2_07B81928 0_2_07B81928
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Code function: 0_2_07B82950 0_2_07B82950
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Code function: 0_2_07C493D8 0_2_07C493D8
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Code function: 0_2_07C47F80 0_2_07C47F80
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_0095CF58 3_2_0095CF58
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Code function: 3_2_0095CF38 3_2_0095CF38
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_002FD426 6_2_002FD426
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_002FD523 6_2_002FD523
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_0030D5AE 6_2_0030D5AE
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00307646 6_2_00307646
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_003329BE 6_2_003329BE
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00336AF4 6_2_00336AF4
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_0035ABFC 6_2_0035ABFC
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00353C4D 6_2_00353C4D
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00353CBE 6_2_00353CBE
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00353D2F 6_2_00353D2F
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_002FED03 6_2_002FED03
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00353DC0 6_2_00353DC0
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_0030AFA6 6_2_0030AFA6
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_002FCF92 6_2_002FCF92
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B36048 6_2_04B36048
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B38710 6_2_04B38710
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B35758 6_2_04B35758
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B37098 6_2_04B37098
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B37088 6_2_04B37088
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B31D98 6_2_04B31D98
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_0032C7BC 6_2_0032C7BC
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Code function: 7_2_00C35804 7_2_00C35804
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Code function: 7_2_00C32296 7_2_00C32296
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Code function: 7_2_015146A0 7_2_015146A0
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Code function: 7_2_015145B0 7_2_015145B0
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Code function: 7_2_0151D300 7_2_0151D300
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 25ADE9899C000A27570B527CFFC938EC9626978219EC8A086082B113CBE4F492
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\hawkgoods.exe B3D02FD5C69293DB419AC03CDF6396BD5E7765682FB3B2390454D9A52BA2CA88
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\origigoods20.exe 1C7757EE223F2480FBC478AE2ECAF82E1D3C17F2E4D47581D3972416166C54AB
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\origigoods40.exe CFAD1E486666FF3FB042BA0E9967634DE1065F1BBD505C61B3295E55705A2A50
Found potential string decryption / allocating functions
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: String function: 0033BA9D appears 35 times
One or more processes crash
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2164
PE file contains strange resources
Source: PO_Invoices_pdf.exe Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: I$s#$lT3ssl.exe.3.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hawkgoods.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hawkgoods.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Source: hawkgoods.exe.5.dr Static PE information: Resource name: RT_ICON type: GLS_BINARY_LSB_FIRST
Sample file is different than original file name gathered from version info
Source: PO_Invoices_pdf.exe Binary or memory string: OriginalFilename vs PO_Invoices_pdf.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277173827.00000000030A1000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameRunPE.dll" vs PO_Invoices_pdf.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameLoginForm.dll6 vs PO_Invoices_pdf.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameCMemoryExecute.dll@ vs PO_Invoices_pdf.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameWebBrowserPassView.exeF vs PO_Invoices_pdf.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamemailpv.exe< vs PO_Invoices_pdf.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenamePhulli.exe0 vs PO_Invoices_pdf.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameyuhttCAxwLFZshSGnwmMrfvGZfDSzxEDrzwk.exe4 vs PO_Invoices_pdf.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameVNXT.exe* vs PO_Invoices_pdf.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameE.exe4 vs PO_Invoices_pdf.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameczzfIDlMOIuCXDkvbHSanvcpuIRYWjNm.exe4 vs PO_Invoices_pdf.exe
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp Binary or memory string: OriginalFilenameViottoBinder_Stub.exePADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPADDINGPAD
Source: PO_Invoices_pdf.exe, 00000000.00000002.309980821.0000000009400000.00000002.00000001.sdmp Binary or memory string: OriginalFilenameuser32j% vs PO_Invoices_pdf.exe
Tries to load missing DLLs
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Section loaded: security.dll
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: sfc.dll
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Section loaded: security.dll
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Section loaded: security.dll
Uses 32bit PE files
Source: PO_Invoices_pdf.exe Static PE information: 32BIT_MACHINE, EXECUTABLE_IMAGE
Yara signature match
Source: 0000001B.00000002.651684392.0000000007F40000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.651227274.0000000007C90000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000006.00000002.398436711.0000000007540000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 00000006.00000002.398332656.00000000073F0000.00000004.00000001.sdmp, type: MEMORY Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: dropped/hawkgoods.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: dropped/hawkgoods.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: dropped/hawkgoods.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.hawkgoods.exe.73f0000.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.hawkgoods.exe.7540000.11.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.hawkgoods.exe.7c90000.10.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.hawkgoods.exe.7f40000.11.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 27.2.hawkgoods.exe.31f8c9c.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.hawkgoods.exe.2a689b0.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE Matched rule: HKTL_NET_GUID_Stealer date = 2020-12-29, author = Arnim Rupp, description = Detects c# red/black-team tools via typelibguid, reference = https://github.com/malwares/Stealer, license = https://creativecommons.org/licenses/by-nc/4.0/
Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE Matched rule: RAT_HawkEye date = 01.06.2015, filetype = exe, author = Kevin Breen <kevin@techanarchy.net>, maltype = KeyLogger, description = Detects HawkEye RAT, reference = http://malwareconfig.com/stats/HawkEye
Source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE Matched rule: Hawkeye author = JPCERT/CC Incident Response Group, description = detect HawkEye in memory, rule_usage = memory scan, reference = internal research
Source: PO_Invoices_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: I$s#$lT3ssl.exe.3.dr Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: hawkgoods.exe.5.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: hawkgoods.exe.5.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: hawkgoods.exe.5.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor', 'TransformFinalBlock'
Source: hawkgoods.exe.5.dr, Form1.cs Cryptographic APIs: 'CreateDecryptor'
Source: origigoods40.exe.5.dr, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: origigoods40.exe.5.dr, A/b2.cs Cryptographic APIs: 'TransformFinalBlock', 'CreateDecryptor'
Source: hawkgoods.exe.5.dr, Form1.cs Base64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs Base64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs Base64 encoded string: 'hxYuBRkiiqF2m5U/v+PiR2nswhUqG0SslS0sInRy44yND2XYDxDtrDNZ25ZQ5u6E', 'ybZRZ/CCW7udMx58FQTRrK9RIMwrfnmlR5Z83UvMyu30rrOEs1DzW7d2mK+Drn3u', 'PN4TW3peZ3UeXi7asDB56E4dMEf6JrdkxXNUlrUjLlWcjHK1wZ5CpLZZKB/ocuFWy9Kw0Q8tIc1Qv7OEgqzD+w=='
Source: PO_Invoices_pdf.exe, 00000000.00000003.251356418.000000000654B000.00000004.00000001.sdmp Binary or memory string: Yu Type Library is a Trademark of JIYUKOBO Ltd. registered in Japan.slnt
Source: PO_Invoices_pdf.exe, 00000000.00000003.251513936.000000000654B000.00000004.00000001.sdmp Binary or memory string: n Japan.slnt
Source: classification engine Classification label: mal100.phis.troj.adwa.spyw.evad.winEXE@46/40@68/6
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B64E52 AdjustTokenPrivileges, 6_2_04B64E52
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B64E1B AdjustTokenPrivileges, 6_2_04B64E1B
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\PO_Invoices_pdf.exe.log Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1200:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8:120:WilError_01
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5440
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Mutant created: \Sessions\1\BaseNamedObjects\Global\.net clr networking
Source: C:\Windows\SysWOW64\WerFault.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess3724
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6980:120:WilError_01
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Local\Temp\__PSScriptPolicyTest_awkr53h0.pdr.ps1 Jump to behavior
Source: PO_Invoices_pdf.exe Static PE information: Section: .text IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Section loaded: C:\Windows\SysWOW64\msvbvm60.dll
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a152fe02a317a77aeee36903305e8ba6\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlp
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Section loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlp
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\SysWOW64\WerFault.exe Section loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dll
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe System information queried: HandleInformation
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe File read: C:\Windows\System32\drivers\etc\hosts Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Windows\SysWOW64\WerFault.exe File read: C:\Windows\System32\drivers\etc\hosts
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exe Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exe, 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q AND (type='table' OR type='index' OR type='trigger');
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exe Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND rootpage>0
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exe Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: PO_Invoices_pdf.exe Binary or memory string: INSERT INTO [dbo].[UsersTable] ([Id], [userName], [passWord], [locked]) VALUES (@Id, @userName, @passWord, @locked); SELECT Id, us
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exe Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, powershell.exe, 00000003.00000003.370812465.0000000008DB1000.00000004.00000001.sdmp Binary or memory string: UPDATE [dbo].[UsersTable] SET [Id] = @Id, [userName] = @userName, [passWord] = @passWord, [locked] = @locked WHERE (([Id] = @Original_Id) AND ([userName] = @Original_userName) AND ([passWord] = @Original_passWord) AND ([locked] = @Original_locked));
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, hawkgoods.exe Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: PO_Invoices_pdf.exe ReversingLabs: Detection: 17%
Source: unknown Process created: C:\Users\user\Desktop\PO_Invoices_pdf.exe 'C:\Users\user\Desktop\PO_Invoices_pdf.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2164
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 3724 -s 1996
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
Source: unknown Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
Source: unknown Process created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2092
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: unknown Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: unknown Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5440 -s 940
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2164 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2092
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process created: unknown unknown
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: PO_Invoices_pdf.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: PO_Invoices_pdf.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: PO_Invoices_pdf.exe Static file information: File size 1655808 > 1048576
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe File opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dll Jump to behavior
Source: PO_Invoices_pdf.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x18fe00
Source: PO_Invoices_pdf.exe Static PE information: NO_SEH, TERMINAL_SERVER_AWARE, DYNAMIC_BASE, NX_COMPAT
Source: Binary string: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbHs source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
Source: Binary string: mscorlib.pdbTD~1\AppData\Local\Temp\hawkgoods.exeAAGZ source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: mscorlib.pdbcorlib.pdbpdblib.pdb2.0.0.0__b77a5c561934e089\mscorlib.pdbm source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
Source: Binary string: RunPE.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277173827.00000000030A1000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Jovan\Documents\Visual Studio 2010\Projects\Stealer\CMemoryExecute\CMemoryExecute\obj\Release\CMemoryExecute.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
Source: Binary string: C:\Windows\assembly\GA.pdbmscorlib\2.0.0.0__b77a5c561934e089\mscorlib.dll source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
Source: Binary string: indows\mscorlib.pdbpdblib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\mailpv\Release\mailpv.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
Source: Binary string: C:\Windows\mscorlib.pdbl source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: C:\Windows\dll\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: f:\Projects\VS2005\WebBrowserPassView\Release\WebBrowserPassView.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, hawkgoods.exe
Source: Binary string: symbols\dll\mscorlib.pdb7w source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
Source: Binary string: oC:\Windows\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.398710420.000000000782A000.00000004.00000010.sdmp
Source: Binary string: C:\Windows\symbols\dll\mscorlib.pdb source: hawkgoods.exe, 00000006.00000002.386288521.00000000026D7000.00000004.00000040.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdb source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp
Source: Binary string: mscorrc.pdb source: hawkgoods.exe, 00000006.00000002.391117104.0000000004E20000.00000002.00000001.sdmp
Source: Binary string: D:\Before FprmT\Document VB project\FireFox Stub\FireFox Stub\obj\Debug\VNXT.pdbh} source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, RegAsm.exe, 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp

Data Obfuscation:

barindex
.NET source code contains potential unpacker
Source: hawkgoods.exe.5.dr, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: hawkgoods.exe.5.dr, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: hawkgoods.exe.5.dr, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: hawkgoods.exe.5.dr, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs .Net Code: IsDotNet System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs .Net Code: run System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs .Net Code: stealMail System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs .Net Code: stealWebroswers System.Reflection.Assembly System.Reflection.Assembly::Load(System.Byte[])
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00360712 push eax; ret 6_2_00360726
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00360712 push eax; ret 6_2_0036074E
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_0033BA9D push eax; ret 6_2_0033BAB1
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_0033BA9D push eax; ret 6_2_0033BAD9
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00C77EF4 push eax; ret 6_2_00C77EF5
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00C77B84 push ebx; retf 6_2_00C77B86
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_00C77B81 push ebx; retf 6_2_00C77B82
Source: initial sample Static PE information: section name: .text entropy: 7.94835272626
Source: initial sample Static PE information: section name: .text entropy: 7.94835272626

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\origigoods40.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File created: C:\Users\user\AppData\Local\Temp\origigoods20.exe Jump to dropped file
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Jump to dropped file

Boot Survival:

barindex
Drops PE files to the startup folder
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Jump to dropped file
Creates a start menu entry (Start Menu\Programs\Startup)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Jump to behavior
Stores files to the Windows start menu directory
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe\:Zone.Identifier:$DATA Jump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Changes the view of files in windows explorer (hidden files and folders)
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Key value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hidden Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOGPFAULTERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: FAILCRITICALERRORS | NOGPFAULTERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\WerFault.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Yara detected AntiVM_3
Source: Yara match File source: Process Memory Space: powershell.exe PID: 5904, type: MEMORY
Found evasive API chain (trying to detect sleep duration tampering with parallel thread)
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Function Chain: threadResumed,threadDelayed,systemQueried,memAlloc,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,systemQueried,processQueried,processQueried,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Function Chain: threadDelayed,threadCreated,threadResumed,threadDelayed,threadDelayed,deviceIO,threadDelayed,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,threadDelayed,processSet,processSet,memAlloc,threadInformationSet,threadInformationSet,threadDelayed,systemQueried,threadDelayed,threadDelayed,threadDelayed,memAlloc,processSet
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Function Chain: memAlloc,systemQueried,systemQueried,threadCreated,threadResumed,threadDelayed,threadDelayed,threadDelayed,systemQueried,systemQueried,systemQueried,threadDelayed,threadDelayed,threadAPCQueued,threadDelayed,threadDelayed,threadDelayed,threadDelayed,threadDelayed,memAlloc,threadDelayed,memAlloc,memAlloc,memAlloc,memAlloc
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Contains capabilities to detect virtual machines
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Thread delayed: delay time: 300000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Thread delayed: delay time: 180000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Thread delayed: delay time: 300000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Thread delayed: delay time: 180000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Thread delayed: delay time: 922337203685477
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Thread delayed: delay time: 922337203685477
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1357 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 1251 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Window / User API: threadDelayed 1099 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Window / User API: threadDelayed 8718 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Window / User API: threadDelayed 1499
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Window / User API: threadDelayed 8293
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 4134
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Window / User API: threadDelayed 2549
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Window / User API: threadDelayed 798
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Window / User API: threadDelayed 9012
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Window / User API: threadDelayed 2778
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Window / User API: threadDelayed 6864
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe TID: 5908 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5836 Thread sleep count: 1357 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5888 Thread sleep count: 1251 > 30 Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6284 Thread sleep time: -11990383647911201s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6216 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 1516 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6192 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6644 Thread sleep time: -120000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6648 Thread sleep time: -140000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6668 Thread sleep time: -300000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 7036 Thread sleep time: -180000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 2148 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 2148 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 2148 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 7108 Thread sleep time: -23058430092136925s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 7112 Thread sleep count: 1099 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 7112 Thread sleep count: 8718 > 30 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -24903104499507879s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -199750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99766s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99656s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99156s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98828s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98719s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98610s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -196906s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98234s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -196250s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98016s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -195812s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97688s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97563s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99765s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99546s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99437s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99328s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99218s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99109s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -99000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98890s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98781s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98671s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98562s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98343s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -98015s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97796s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97687s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97578s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97468s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97359s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 2804 Thread sleep time: -97250s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6976 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6976 Thread sleep count: 109 > 30
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6976 Thread sleep time: -3270000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6976 Thread sleep time: -90000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 6232 Thread sleep count: 224 > 30
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe TID: 6644 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5884 Thread sleep count: 4134 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 5884 Thread sleep count: 2549 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6664 Thread sleep count: 43 > 30
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6368 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 6084 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 576 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 5168 Thread sleep time: -120000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 5228 Thread sleep time: -140000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 5268 Thread sleep count: 60 > 30
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 5244 Thread sleep time: -300000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 712 Thread sleep time: -180000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6812 Thread sleep time: -1844674407370954s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6812 Thread sleep time: -500000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe TID: 6812 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 4760 Thread sleep time: -20291418481080494s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 4756 Thread sleep count: 798 > 30
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe TID: 4756 Thread sleep count: 9012 > 30
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -23980767295822402s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -100000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5248 Thread sleep count: 2778 > 30
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99703s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -199188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99453s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5248 Thread sleep count: 6864 > 30
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99313s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99047s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98938s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98797s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98641s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98406s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98297s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -196282s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -196000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -195782s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -97750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -195282s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -97500s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -97391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -97281s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -97172s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -97063s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -96953s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -96844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -96735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -96594s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99844s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99344s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99188s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99078s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98969s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98860s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98735s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98547s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98391s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -98250s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -97531s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -97422s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -97313s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -97203s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -97094s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -96985s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99875s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99750s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe TID: 5280 Thread sleep time: -99625s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5960 Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5960 Thread sleep count: 112 > 30
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5960 Thread sleep time: -3360000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 5960 Thread sleep time: -30000s >= -30000s
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe TID: 1352 Thread sleep count: 340 > 30
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_ComputerSystem
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File Volume queried: C:\ FullSizeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File Volume queried: C:\ FullSizeInformation
Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmp Binary or memory string: Hyper-V
Source: powershell.exe, 00000003.00000002.382114009.0000000004983000.00000004.00000001.sdmp Binary or memory string: Al:C:\Windows\system32\WindowsPowerShell\v1.0\Modules\Hyper-V
Source: Matiexgoods.exe, 00000008.00000002.705756685.00000000044E1000.00000004.00000001.sdmp Binary or memory string: 1keA/sO5FDZFCBsE6iqEMuCQifoK6oH1s/UW1veY/gDcXrGORBZz4Z+noIDCwQ57PciD
Source: hawkgoods.exe, 00000006.00000002.397387574.00000000068E0000.00000002.00000001.sdmp, origigoods40.exe, 00000007.00000002.479272063.00000000060C0000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: hawkgoods.exe, 00000006.00000002.397387574.00000000068E0000.00000002.00000001.sdmp, origigoods40.exe, 00000007.00000002.479272063.00000000060C0000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: hawkgoods.exe, 00000006.00000002.397387574.00000000068E0000.00000002.00000001.sdmp, origigoods40.exe, 00000007.00000002.479272063.00000000060C0000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: Matiexgoods.exe, 00000008.00000002.694705884.0000000001823000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: hawkgoods.exe, 00000006.00000002.397387574.00000000068E0000.00000002.00000001.sdmp, origigoods40.exe, 00000007.00000002.479272063.00000000060C0000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process information queried: ProcessInformation Jump to behavior

Anti Debugging:

barindex
Checks if the current process is being debugged
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process queried: DebugPort Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process queried: DebugPort
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process queried: DebugPort
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B377F0 LdrInitializeThunk, 6_2_04B377F0
Enables debug privileges
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process token adjusted: Debug
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
.NET source code references suspicious native API functions
Source: hawkgoods.exe.5.dr, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: hawkgoods.exe.5.dr, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: origigoods40.exe.5.dr, A/b2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 6.0.hawkgoods.exe.2f0000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, Form1.cs Reference to suspicious API methods: ('GetAsyncKeyState', 'GetAsyncKeyState@user32')
Source: 6.2.hawkgoods.exe.2f0000.0.unpack, RunPE.cs Reference to suspicious API methods: ('ReadProcessMemory', 'ReadProcessMemory@kernel32'), ('WriteProcessMemory', 'WriteProcessMemory@kernel32'), ('VirtualProtectEx', 'VirtualProtectEx@kernel32'), ('VirtualAllocEx', 'VirtualAllocEx@kernel32')
Source: 7.0.origigoods40.exe.c30000.0.unpack, A/b2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Source: 7.2.origigoods40.exe.c30000.0.unpack, A/b2.cs Reference to suspicious API methods: ('A', 'MapVirtualKey@user32.dll')
Allocates memory in foreign processes
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory allocated: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 protect: page execute and read and write
Bypasses PowerShell execution policy
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 value starts with: 4D5A
Sample uses process hollowing technique
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Section unmapped: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base address: 400000
Writes to foreign memory regions
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000 Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 403000 Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: D12008 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 403000
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 88D008
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 412000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 416000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 418000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 400000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 401000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 443000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 44F000
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Memory written: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe base: 452000
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\Desktop\PO_Invoices_pdf.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0 Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2164 Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt' Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\hawkgoods.exe 'C:\Users\user~1\AppData\Local\Temp\hawkgoods.exe' 0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\origigoods40.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods40.exe' 0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe 'C:\Users\user~1\AppData\Local\Temp\Matiexgoods.exe' 0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe Process created: C:\Users\user\AppData\Local\Temp\origigoods20.exe 'C:\Users\user~1\AppData\Local\Temp\origigoods20.exe' 0
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exe dw20.exe -x -s 2092
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holdermail.txt'
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Process created: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext 'C:\Users\user\AppData\Local\Temp\holderwb.txt'
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process created: unknown unknown
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Source: unknown Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Process created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe 'Powershell.exe' -ExecutionPolicy Bypass -command Copy-Item 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe'

Language, Device and Operating System Detection:

barindex
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Users\user\Desktop\PO_Invoices_pdf.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\arial.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ariali.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\arialbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\arialbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ariblk.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ARIALNBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\bahnschrift.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\calibri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\calibril.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\calibrii.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\calibrili.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\calibrib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\calibriz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\cambria.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\cambriai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\cambriab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\cambriaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\Candara.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\Candarai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\Candarab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\Candaraz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\comic.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\comici.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\comicbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\comicz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\consola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\consolai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\consolab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\consolaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\constan.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\constani.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\constanb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\constanz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\corbel.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\corbeli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\corbelb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\corbelz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\cour.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\couri.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\courbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\courbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ebrima.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ebrimabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\framd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FRADM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\framdit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FRADMIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FRAMDCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FRADMCN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FRAHV.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FRAHVIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\Gabriola.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\gadugi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\gadugib.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\georgia.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\georgiai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\georgiab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\georgiaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\impact.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\Inkfree.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\javatext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LeelawUI.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LeelUIsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LeelaUIb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\lucon.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\l_10646.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\malgun.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\malgunsl.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\malgunbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\himalaya.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\msjh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\msjhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\msjhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ntailu.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ntailub.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\phagspa.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\phagspab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\taile.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\taileb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\msyh.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\msyhl.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\msyhbd.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\msyi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\mingliub.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\monbaiti.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\msgothic.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\mvboli.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\mmrtext.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\mmrtextb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\Nirmala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaS.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\NirmalaB.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\pala.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\palai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\palab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\palabi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\segoepr.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\segoeprb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\segoesc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\segoescb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\seguiemj.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\seguihis.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\seguisym.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\simsunb.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\Sitka.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\SitkaI.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\SitkaB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\SitkaZ.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\sylfaen.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\symbol.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\tahoma.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\tahomabd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\trebuc.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\trebucit.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\trebucbd.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\trebucbi.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\verdana.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\verdanai.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\verdanab.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\verdanaz.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\webdings.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\wingding.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothR.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothM.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothL.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\YuGothB.ttc VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\holomdl2.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CENTURY.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LEELAWDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\MSUIGHUB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG2.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\WINGDNG3.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\TEMPSITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\PRISTINA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\PAPYRUS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\MISTRAL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LHANDW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ITCKRIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\JUICE___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FRSCRIPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FREESCPT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BRADHITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\OUTLOOK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BKANT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUAB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ANTQUABI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GARA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GARAIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GARABD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\MTCORSVA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GOTHICBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ALGER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BASKVILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BAUHS93.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BELL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BELLI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BELLB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSDB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BRLNSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BERNHC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_PSTC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BRITANIC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BROADW.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BRUSHSCI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CALIFR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CALIFI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CALIFB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CENTAUR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CHILLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\COLONNA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\COOPBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FTLTLT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\HARLOWSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\HARNGTON.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\HTOWERTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\JOKERMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\KUNSTLER.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITED.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LBRITEDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LCALLIG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LFAX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LFAXD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LFAXI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LFAXDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\MAGNETOB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\MATURASC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\MOD20.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\NIAGENG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\NIAGSOL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\OLDENGL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ONYX.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\PARCHM.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\PLAYBILL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\POORICH.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\RAVIE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\INFROMAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\SHOWG.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\SNAP____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\STENCIL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\VINERITC.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\VIVALDII.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\VLADIMIR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LATINWD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\TCM_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\TCMI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\TCB_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\TCBI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\TCCM____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\TCCB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\TCCEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\SCRIPTBL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ROCK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ROCKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ROCC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ROCCB___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\RAGE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\PERTILI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\PERTIBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\PER_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\PERI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\PERB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\PERBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\PALSCRI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\OCRAEXT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\MAIAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LTYPEBO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LSANS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LSANSD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LSANSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\LSANSDI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\IMPRISHA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\HATTEN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDYSTO.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GOUDOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GLECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GIL_____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GILI____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GILB____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GILBI___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GILC____.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GLSNECB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\GIGI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FRABK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FRABKIT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FORTE.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\FELIXTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ERASMD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ERASLGHT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ERASDEMI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ERASBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ENGR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNT.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ELEPHNTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ITCEDSCR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CURLZ___.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\COPRGTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CENSCBK.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\SCHLBKBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CASTELAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CALIST.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CALISTI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CALISTB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\CALISTBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOS.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOOKOSBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_R.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_I.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_B.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_BLAI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BOD_CBI.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ITCBLKAD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\ARLRDBD.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYR.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\AGENCYB.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\BSSYM7.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\REFSAN.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\REFSPCL.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\MTEXTRA.TTF VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\marlett.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation Jump to behavior
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Users\user\AppData\Local\Temp\origigoods40.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\netsh.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Queries volume information: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.DataSetExtensions\v4.0_4.0.0.0__b77a5c561934e089\System.Data.DataSetExtensions.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\I$s#$lT3ssl.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.ConsoleHost\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.ConsoleHost.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management.Automation\v4.0_3.0.0.0__31bf3856ad364e35\System.Management.Automation.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.DirectoryServices.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Security\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Security.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Management\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Management.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Configuration.Install\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Configuration.Install.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceProcess\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ServiceProcess.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.PowerShell.Commands.Utility\v4.0_3.0.0.0__31bf3856ad364e35\Microsoft.PowerShell.Commands.Utility.dll VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Users\user\AppData\Local\Temp\origigoods40.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\CustomMarshalers\v4.0_4.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods40.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Management\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Management.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.Extensions\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.Extensions.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Queries volume information: C:\Windows\assembly\GAC_32\CustomMarshalers\2.0.0.0__b03f5f7f11d50a3a\CustomMarshalers.dll VolumeInformation
Source: C:\Users\user\Desktop\PO_Invoices_pdf.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Uses netsh to modify the Windows network and firewall settings
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Adds / modifies Windows certificates
Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Blob Jump to behavior
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM AntivirusProduct
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT * FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000003.273863512.0000000003E4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.285132773.0000000003DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.423374232.0000000000722000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.425880345.0000000003A2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.445463818.0000000000C32000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.430720019.00000000000E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.269169616.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.696128013.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.419299258.0000000000E22000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.272090410.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.414221299.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.276618597.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.286093751.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.703454217.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.418225668.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.418385560.000000000372B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.427152213.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.273140883.0000000000C32000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.281843308.00000000000E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.428390015.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.681903640.0000000000722000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.454660209.0000000002801000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.284634932.0000000003E4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.699392963.000000000352E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.419784850.000000000372B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.413803172.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.424187770.000000000372B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.271788096.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.283633869.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: origigoods40.exe PID: 6172, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, type: DROPPED
Source: Yara match File source: 7.0.origigoods40.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.origigoods40.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.origigoods20.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.origigoods20.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.origigoods20.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.origigoods40.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.origigoods40.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.origigoods20.exe.720000.0.unpack, type: UNPACKEDPE
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
Source: Yara match File source: dropped/hawkgoods.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
Source: Yara match File source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
Yara detected MailPassView
Source: Yara match File source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.642866499.00000000041B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000022.00000002.446713470.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000011.00000002.296594780.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
Source: Yara match File source: dropped/hawkgoods.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
Source: Yara match File source: 17.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.34fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.3a27e00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a9fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.34fa72.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.41b7e00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a9fa72.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.41b7e00.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.3a27e00.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 34.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 17.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
Yara detected Matiex Keylogger
Source: Yara match File source: 00000008.00000002.681623451.0000000000F72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.681849072.0000000000BD2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, type: DROPPED
Source: Yara match File source: 8.2.Matiexgoods.exe.f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.Matiexgoods.exe.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Matiexgoods.exe.f9277c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.Matiexgoods.exe.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Matiexgoods.exe.f9277c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Matiexgoods.exe.f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.Matiexgoods.exe.bf277c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.Matiexgoods.exe.bf277c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions
Tries to harvest and steal WLAN passwords
Source: unknown Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Process created: C:\Windows\SysWOW64\netsh.exe 'netsh' wlan show profile
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Cookies
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe File opened: C:\Users\user\AppData\Roaming\FileZilla\recentservers.xml
Tries to steal Instant Messenger accounts or passwords
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Google\Google Talk\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\IdentityCRL\Dynamic Salt
Tries to steal Mail credentials (via file access)
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676
Source: C:\Users\user\AppData\Local\Temp\origigoods20.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities
Source: C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows Live Mail
Yara detected WebBrowserPassView password recovery tool
Source: Yara match File source: 00000023.00000002.465758929.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000012.00000002.308131659.0000000000400000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.642866499.00000000041B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.390146582.0000000003A21000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
Source: Yara match File source: dropped/hawkgoods.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
Source: Yara match File source: 35.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f9c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.3a27e00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.3a40240.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.41d0240.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.41b7e00.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f9c0d.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.41d0240.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.3a40240.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.40afcc.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.40afcc.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 35.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a49c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.vbc.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a49c0d.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 18.2.vbc.exe.400000.0.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
Yara detected Credential Stealer
Source: Yara match File source: 0000001C.00000002.696128013.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.703454217.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.454660209.0000000002801000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.699392963.000000000352E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: origigoods40.exe PID: 6172, type: MEMORY

Remote Access Functionality:

barindex
Detected HawkEye Rat
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: PO_Invoices_pdf.exe, 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: RegAsm.exe, 00000005.00000003.281965972.0000000003BE0000.00000004.00000001.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: hawkgoods.exe String found in binary or memory: HawkEye_Keylogger_Stealer_Records_
Source: hawkgoods.exe String found in binary or memory: HawkEyeKeylogger
Source: hawkgoods.exe String found in binary or memory: HawkEye_Keylogger_Keylog_Records_
Source: hawkgoods.exe String found in binary or memory: HawkEye_Keylogger_Execution_Confirmed_
Source: hawkgoods.exe, 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp String found in binary or memory: \pidloc.txt!HawkEyeKeylogger
Source: hawkgoods.exe, 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp String found in binary or memory: Installed Firewall: MHawkEye_Keylogger_Execution_Confirmed_.txtUHawkEye Keylogger | Execution Confirmed |
Source: hawkgoods.exe, 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp String found in binary or memory: ==============================================EHawkEye_Keylogger_Stealer_Records_MHawkEye Keylogger | Stealer Records |
Source: hawkgoods.exe, 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp String found in binary or memory: .jpegCHawkEye_Keylogger_Keylog_Records_
Source: hawkgoods.exe, 00000006.00000002.387343775.0000000002A21000.00000004.00000001.sdmp String found in binary or memory: q'&HawkEye_Keylogger_Execution_Confirmed_
Source: hawkgoods.exe, 00000006.00000002.387343775.0000000002A21000.00000004.00000001.sdmp String found in binary or memory: q#"HawkEye_Keylogger_Stealer_Records_
Yara detected AgentTesla
Source: Yara match File source: 00000005.00000003.273863512.0000000003E4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.285132773.0000000003DE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000000.423374232.0000000000722000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.425880345.0000000003A2D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.445463818.0000000000C32000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.430720019.00000000000E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.269169616.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000002.696128013.0000000003201000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000002.455680542.0000000002FE1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001C.00000000.419299258.0000000000E22000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.272090410.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.414221299.00000000036C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.276618597.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.286093751.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.703454217.0000000002F71000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.418225668.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.418385560.000000000372B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.427152213.00000000039C1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000007.00000000.273140883.0000000000C32000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000000.281843308.00000000000E2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.428390015.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001F.00000002.681903640.0000000000722000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000000A.00000002.454660209.0000000002801000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.284634932.0000000003E4D000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.699392963.000000000352E000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.419784850.000000000372B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.413803172.0000000000E23000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000003.424187770.000000000372B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.271788096.00000000010E3000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000003.283633869.0000000003B4B000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: origigoods40.exe PID: 6172, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\origigoods20.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\origigoods40.exe, type: DROPPED
Source: Yara match File source: 7.0.origigoods40.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.2.origigoods40.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.2.origigoods20.exe.720000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.0.origigoods20.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 10.2.origigoods20.exe.e0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 28.0.origigoods40.exe.e20000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.origigoods40.exe.c30000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 31.0.origigoods20.exe.720000.0.unpack, type: UNPACKEDPE
Yara detected HawkEye Keylogger
Source: Yara match File source: 00000014.00000002.379809632.0000000005930000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000025.00000002.619183539.0000000005360000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000000.417887646.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 00000006.00000002.383895800.00000000002F2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.636644097.0000000000A42000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001B.00000002.641318198.00000000031B1000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
Source: Yara match File source: dropped/hawkgoods.exe, type: DROPPED
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe, type: DROPPED
Source: Yara match File source: 27.2.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a48208.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a9fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a49c0d.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a9fa72.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2f0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f8208.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.0.hawkgoods.exe.a40000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.a48208.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.0.hawkgoods.exe.2f9c0d.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.34fa72.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 27.2.hawkgoods.exe.31d8e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 6.2.hawkgoods.exe.2a48e20.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
Yara detected Matiex Keylogger
Source: Yara match File source: 00000008.00000002.681623451.0000000000F72000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: 0000001A.00000002.433264598.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.277417941.00000000040A8000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.287278765.0000000000403000.00000040.00000001.sdmp, type: MEMORY
Source: Yara match File source: 0000001E.00000002.681849072.0000000000BD2000.00000002.00020000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: RegAsm.exe PID: 4888, type: MEMORY
Source: Yara match File source: Process Memory Space: PO_Invoices_pdf.exe PID: 5372, type: MEMORY
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Matiexgoods.exe, type: DROPPED
Source: Yara match File source: 8.2.Matiexgoods.exe.f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.Matiexgoods.exe.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.2.Matiexgoods.exe.f9277c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.Matiexgoods.exe.bd0000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Matiexgoods.exe.f9277c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4031bf.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 8.0.Matiexgoods.exe.f70000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.Matiexgoods.exe.bf277c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.Matiexgoods.exe.bf277c.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4095c7.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.4095c7.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 5.2.RegAsm.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.40afcc.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.unpack, type: UNPACKEDPE
Source: Yara match File source: 26.2.RegAsm.exe.4031bf.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4156d80.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4398f3f.4.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.40a9510.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.4158f3f.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 23.2.I$s#$lT3ssl.exe.3e69510.5.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.PO_Invoices_pdf.exe.4396d80.5.raw.unpack, type: UNPACKEDPE
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B60E9E bind, 6_2_04B60E9E
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B60A8E listen, 6_2_04B60A8E
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B60E6B bind, 6_2_04B60E6B
Source: C:\Users\user\AppData\Local\Temp\hawkgoods.exe Code function: 6_2_04B60A50 listen, 6_2_04B60A50
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 347154 Sample: PO_Invoices_pdf.exe Startdate: 02/02/2021 Architecture: WINDOWS Score: 100 90 smtp.privateemail.com 2->90 106 Found malware configuration 2->106 108 Malicious sample detected (through community Yara rule) 2->108 110 Sigma detected: Capture Wi-Fi password 2->110 112 20 other signatures 2->112 10 PO_Invoices_pdf.exe 3 2->10         started        14 I$s#$lT3ssl.exe 2->14         started        signatures3 process4 file5 88 C:\Users\user\...\PO_Invoices_pdf.exe.log, ASCII 10->88 dropped 118 Writes to foreign memory regions 10->118 120 Allocates memory in foreign processes 10->120 122 Injects a PE file into a foreign processes 10->122 16 RegAsm.exe 5 10->16         started        19 powershell.exe 16 10->19         started        22 RegAsm.exe 14->22         started        24 powershell.exe 14->24         started        signatures6 process7 file8 68 C:\Users\user\AppData\...\origigoods40.exe, PE32 16->68 dropped 70 C:\Users\user\AppData\...\origigoods20.exe, PE32 16->70 dropped 72 C:\Users\user\AppData\...\Matiexgoods.exe, PE32 16->72 dropped 26 hawkgoods.exe 15 6 16->26         started        30 Matiexgoods.exe 16->30         started        32 origigoods20.exe 16->32         started        34 origigoods40.exe 2 16->34         started        74 C:\Users\user\AppData\...\I$s#$lT3ssl.exe, PE32 19->74 dropped 76 C:\Users\...\I$s#$lT3ssl.exe:Zone.Identifier, ASCII 19->76 dropped 114 Drops PE files to the startup folder 19->114 116 Powershell drops PE file 19->116 36 conhost.exe 19->36         started        78 C:\Users\user\AppData\Local\...\hawkgoods.exe, PE32 22->78 dropped 38 hawkgoods.exe 22->38         started        40 origigoods20.exe 22->40         started        44 2 other processes 22->44 42 conhost.exe 24->42         started        signatures9 process10 dnsIp11 102 3 other IPs or domains 26->102 124 Antivirus detection for dropped file 26->124 126 Multi AV Scanner detection for dropped file 26->126 128 Machine Learning detection for dropped file 26->128 146 3 other signatures 26->146 46 vbc.exe 26->46         started        49 dw20.exe 26->49         started        52 WerFault.exe 26->52         started        54 vbc.exe 26->54         started        92 checkip.dyndns.org 30->92 104 2 other IPs or domains 30->104 130 Tries to steal Mail credentials (via file access) 30->130 132 Tries to harvest and steal browser information (history, passwords, etc) 30->132 134 Tries to harvest and steal WLAN passwords 30->134 56 netsh.exe 30->56         started        94 smtp.privateemail.com 199.193.7.228, 49740, 49741, 49742 NAMECHEAP-NETUS United States 32->94 136 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 32->136 138 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 32->138 140 Found evasive API chain (trying to detect sleep duration tampering with parallel thread) 32->140 96 69.170.12.0.in-addr.arpa 38->96 148 3 other signatures 38->148 58 vbc.exe 38->58         started        60 vbc.exe 38->60         started        62 dw20.exe 38->62         started        64 WerFault.exe 38->64         started        142 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 40->142 144 Tries to harvest and steal ftp login credentials 40->144 98 checkip.dyndns.org 44->98 100 216.146.43.70, 49777, 49779, 49787 DYNDNSUS United States 44->100 signatures12 process13 file14 150 Tries to steal Instant Messenger accounts or passwords 46->150 152 Tries to steal Mail credentials (via file access) 46->152 80 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 49->80 dropped 82 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 52->82 dropped 66 conhost.exe 56->66         started        154 Tries to harvest and steal browser information (history, passwords, etc) 60->154 84 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 62->84 dropped 86 C:\ProgramData\Microsoft\...\Report.wer, Little-endian 64->86 dropped signatures15 process16
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
131.186.113.70
 unknown United States
33517 DYNDNSUS false
104.16.155.36
 unknown United States
13335 CLOUDFLARENETUS false
104.21.19.200
 unknown United States
13335 CLOUDFLARENETUS false
199.193.7.228
 unknown United States
22612 NAMECHEAP-NETUS false
216.146.43.70
 unknown United States
33517 DYNDNSUS false

Private
IP
192.168.2.1

Contacted Domains

Name IP Active
whatismyipaddress.com 104.16.155.36 true
freegeoip.app 104.21.19.200 true
smtp.privateemail.com 199.193.7.228 true
checkip.dyndns.com 131.186.113.70 true
69.170.12.0.in-addr.arpa unknown unknown
checkip.dyndns.org unknown unknown

Contacted URLs

Name Malicious Antivirus Detection Reputation
http://checkip.dyndns.org/ false
  • Avira URL Cloud: safe
 unknown
http://whatismyipaddress.com/ false
    		high